Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Matthew Finkel <matthew.finkel@...>
Subject: Re: Re: UEFI secure boot and Gentoo
Date: Fri, 15 Jun 2012 01:01:57 -0400
<div class="gmail_quote">On Fri, Jun 15, 2012 at 12:50 AM, Duncan <span dir="ltr">&lt;<a href="mailto:1i5t5.duncan@..." target="_blank">1i5t5.duncan@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Greg KH posted on Thu, 14 Jun 2012 21:28:10 -0700 as excerpted:<br>
<div><div class="h5"><br>
&gt; So, anyone been thinking about this?  I have, and it&#39;s not pretty.<br>
&gt;<br>
&gt; Should I worry about this and how it affects Gentoo, or not worry about<br>
&gt; Gentoo right now and just focus on the other issues?<br>
&gt;<br>
&gt; Minor details like, &quot;do we have a &#39;company&#39; that can pay Microsoft to<br>
&gt; sign our bootloader?&quot; is one aspect from the non-technical side that<br>
&gt; I&#39;ve been wondering about.<br>
<br>
</div></div>I&#39;ve been following developments and wondering a bit about this myself.<br>
<br>
I had concluded that at least for x86/amd64, where MS is mandating a user<br>
controlled disable-signed-checking option, gentoo shouldn&#39;t have a<br>
problem.  Other than updating the handbook to accommodate UEFI,<br>
presumably along with the grub2 stabilization, I believe we&#39;re fine as if<br>
a user can&#39;t figure out how to disable that option on their (x86/amd64)<br>
platform, they&#39;re hardly likely to be a good match for gentoo in any case.<br>
<br>
ARM and etc could be more problematic since MS is mandating no-unlock<br>
there, last I read.  I have no clue how they can get away with that anti-<br>
trust-wise, but anyway...  But I honestly don&#39;t know enough about other<br>
than x86/amd64 platforms to worry about it, personally.<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>For the short term, we don&#39;t have many options beside either adding to the documentation that the User needs to disable UEFI or wipe the current valid keys and adding their own (Devs may need to make sure there&#39;s a way to do this on the livecd). Of course there&#39;s the third option of everyone purchasing a key from Verisign but....</div>

<div><br></div><div>As for non-x86 systems, Gentoo is in between a rock and a hard place. I hope there will be a similar mechanism for the user to implement their own valid key chain and remove Microsofts, but who knows. The the devs and we need to decide on a uniform way of handling this situation. </div>

</div><br clear="all"><div>- Matt</div>
References:
UEFI secure boot and Gentoo
-- Greg KH
Re: UEFI secure boot and Gentoo
-- Duncan
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: UEFI secure boot and Gentoo
Next by thread:
Re: Re: UEFI secure boot and Gentoo
Previous by date:
Re: UEFI secure boot and Gentoo
Next by date:
Re: UEFI secure boot and Gentoo


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.